June 27, 2013

Duke Researcher Develops App To Protect Against False Keyboards

Google's mobile OS, Android, has seen more than its fair share of security issues, including malicious apps, phishing attacks, and the like. As such, the topic of locking down the system and keeping it safe for all users is of much importance. Some malicious apps, for instance, will use false keyboards in the app to capture information like passwords and send them to another server.

Landon Cox, a computer scientist at Duke University in North Carolina, has developed a method which he believes will prevent this behavior and protect users against malicious developers.

Called ScreenPass, the app can alert users if an app is sending information to a non-trusted location. What's more, the app even lets users choose where their information goes after they've input their login information. Cox and team plan to release the app to the public after showing it off this week at the MobiSys 2013 conference in Taipei on June 27.

"Passwords are a critical glue between mobile apps and remote cloud services," Cox said in a press statement. "The problem right now is that users have no idea what happens to the passwords they give to their apps."

In their paper, Cox and team describe how some of these malicious apps use false keyboards to get a user's information. To avoid being detected by any other security feature, these false keyboards will often change the font of the keys, turn the letters askew, or even blur the text and add random noise behind the keys. One particular malicious app featured a keyboard which was set atop a floral print background. In the tests, ScreenPass was able to detect every false and potentially malicious keyboard, save the flowery keyboard. After testing it on their own devices, Cox and team gave the app out to 18 volunteers to test how friendly the user interface was to people who didn't have a hand in developing it.

These testers ran the app for a period of three weeks and reported it was not difficult to use the app or what to do if they came across a malicious keyboard.

After testing ScreenPass on 27 unnamed apps from the Google Play app store, the Duke team said they found three apps which sent passwords as plain text over the network, four stored the passwords on the device without any encryption to protect them, and three apps sent the passwords to different domains owned by third parties.

Cox readily admits there are few malicious apps available which use false keyboards to steal passwords, but says this kind of attack could become more popular in the coming years.

He's probably not wrong; studies have shown Android to be a much more vulnerable mobile OS than Apple's iOS.

One particular study released in April found the number of infected Android devices had skyrocketed, growing by 163 percent in 2012, and as the platform becomes even more popular, malicious developers are likely to find new ways to break into the OS to steal users' private data.